IOC Report
phish_alert_sp2_2.0.0.0.eml

phish_alert_sp2_2.0.0.0.eml

RFC 822 mail, ASCII text, with very long lines (1901), with CRLF line terminators

initial sample

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

data

dropped

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2D856CF8-223E-4CCC-8CBE-45FB4A4947CC

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

SQLite Rollback Journal

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A2E811BA-8EE8-4D9B-B294-2324B35EC9D9" "9DC555F0-4DDE-45D0-8693-5EC74425237E" "7568" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

https://shell.suite.office.com:1443

unknown

https://designerapp.azurewebsites.net

unknown

https://autodiscover-s.outlook.com/

unknown

https://useraudit.o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/connectors

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://login.windows.localnull

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown